The maker of Dark Souls, a popular video games series, has shut down its servers for over 113 days due to CVE-2022-24126, a remote code execution (RCE) vulnerability that could allow a hacker to take over a user’s PC and put its active player base at risk.
On May 10, the game’s publisher, Bandai Namco, said that developers from FromSoftware, the Japanese firm that created the series, were “actively working on resolving the issue in question” and that servers would be running “as soon as possible.” As of this publishing, every game in the Dark Souls series (Dark Souls 3, Dark Souls 2, Dark Souls: Remastered, and Dark Souls: Prepare to Die Edition) remain offline.
In its statement, Bandai Namco did not address the specific issue they were fixing, nor did they mention two other active vulnerabilities—namely CVE-2022-24125 and CVE-2021-34170—that have been confirmed to be affecting those games in addition to CVE-2022-24126.
Flashpoint reached out to Bandai Namco Entertainment. As of this publishing we have not received a reply. We will update this post if we do. For now, let’s examine what we know.
PaleTongue: Naming an unnamed Dark Souls RCE vulnerability
On January 21, Risk Based Security (RBS), a Flashpoint company, became aware of an unnamed RCE vulnerability that affected Dark Souls 3’s networking functionality. It was originally discovered by William Tremblay, a math and computer science major at McGill University.
Internally, we named it “PaleTongue” after the Dark Souls 3 multiplayer item that proves an invader’s victory over another player, which mirrors the conditions of this exploit. We assigned it a VulnDB ID along with a CVSS score of 9.3—a critical severity rating.
CISA takes note
Although initially ignored, PaleTongue would later force FromSoftware to take down its Dark Souls servers and, after a few months, it was reported to CVE which then assigned it CVE-2022-24126. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also included it in their March 2022 National Cyber Awareness System Bulletin—a resource dedicated to notifying organizations of newly disclosed vulnerabilities.
The other RCE vulnerability affecting Dark Souls: CVE-2021-34170
Long before CVE-2022-24126 (AKA PaleTongue) was reported to FromSoftware, another RCE vulnerability had already been disclosed. In 2020, Luke Yui, a Dark Souls modder, told the developers of a similar issue that would allow a hacker to run arbitrary code, enabling them to perform malicious acts including taking over a player’s computer. This issue is distinct from CVE-2022-24126. At this time, the vulnerability has a CVSSv2 score of 10.0—the highest score possible.
Like Mr. Tremblay, Mr. Yui did not receive a response from FromSoftware or Bandai Namco. He eventually reported this separate RCE vulnerability to CVE, which then designated it CVE-2021-34170. CISA included CVE-2021-34170 in their National Cyber Awareness System Bulletin in June 2021.
Elden Ring connection
CVE-2021-34170 had been confirmed to affect Elden Ring, FromSoftware’s latest game that sold over 12 million copies in the first two weeks after its release in February of this year. This RCE vulnerability has been reportedly fixed in Elden Ring.
In an email, Mr. Tremblay told Flashpoint that CVE-2021-34170 has been patched in Elden Ring—however, it still remains unfixed for the Dark Souls series. In addition, he also confirmed that Elden Ring is no longer affected by PaleTongue, or CVE-2022-241256.
All of the vulnerabilities affecting Dark Souls
Vendors often reuse code in their products, and this is a common trend that occurs even in commercial software. When you closely examine a code-driven product, it is likely that one vulnerability will also affect other products in that family, which is the case for Dark Souls.
In a gaming context, gamers may associate “exploits” or “hacks” with flaws in the game that allow abuse of level design, items, or mechanics. In a cybersecurity context, however, which is what’s at play here, these particular types of exploits can have consequences outside of a player’s actual gaming session.
As far as we know, there are three vulnerabilities that pose a threat to Dark Soul’s active player base.
CVE-2022-24126 is the RCE vulnerability that forced servers to be taken down. This flaw enables an attacker to run custom code allowing them to perform a wide variety of malicious or exploitative tasks, including taking control of a player’s PC and stealing data found outside of the game.
Public statements from Bandai Namco suggest the company is referring to this vulnerability, but it has not been explicit.
A point that no other publication, or Bandai Namco has mentioned is that there is a counterpart to CVE-2022-24126—that being CVE-2022-24125. When a threat actor uses this vulnerability alongside CVE-2022-24126, the attack vector greatly increases because it enables the attacker to potentially send shellcode to hundreds of thousands of players online at once.
Reported by Luke Yui, this vulnerability enables hackers to run arbitrary code to perform malicious tasks including taking control of a player’s PC, similar to CVE-2022-24126.
Which issues are Bandai Namco/FromSoftware fixing?
To date, in terms of official correspondence, both Bandai Namco and FromSoftware has been somewhat opaque regarding remediation and timeline.
Over the past four months, only two official responses have been released regarding the Dark Souls server shutdowns. The first is the tweet embedded above, and the second was an email sent to a curious fan from a Bandai Namco representative.
Taking Bandai Namco on their exact words, it assumes that the “issue in question” is CVE-2022-24126, the RCE that prompted the shutdown. It is possible that FromSoftware is patching its counterpart, CVE-2022-24125. However, Dark Souls could still be at risk if CVE-2021-34170 is not patched by the time servers come back online.
We’ve reached out to representatives at Bandai Namco for clarification but have yet to receive a response. We will update this post when and if we do.
Said Mr. Tremplay, “All the significant [vulnerabilities], including 2021-34170, were fixed in Elden Ring. Hence, I would expect them to fix them in Dark Souls III (or any older games affected by this vulnerability) as well.”
Bandai reportedly experiences ransomware attack [updated]
On July 11, the ALPHV ransomware group, also known as BlackCat, claimed to have breached Bandai Namco:
The Bandai ransomware attack adds to the growing list of video game publishers targeted by malicious threat actors. Last year, Electronic Arts Inc. reported that they had suffered a data breach. Not too long after, Capcom disclosed how hackers had infiltrated their systems.
Bandai Namco released a public statement regarding ALPHV’s ransom claim. According to Bandai, there is a possibility that customer information related to their Toys and Hobby Business in Asian regions (excluding Japan) may have been included in affected servers and PCs.
Everything is vulnerable, including video games
If a product contains flaws that are harmful to its users, its creators need to be transparent and provide ways or plans to resolve them. Everything is vulnerable and when it comes to security, your network is often as strong as your weakest link. Sometimes we don’t consider the inherent risks that internet-facing software introduces, so many forget that their home monitoring system or smart refrigerator can be taken advantage of. And now, we have to add video games to that list.
The good news is that having comprehensive vulnerability intelligence helps you discover these concerns when no one else, including their creators, are paying attention to them.